The rules governing processing of personal data within health and medical care can be found in the Patient Data Act (2008:355), which when it came into force in 2008 superseded the Care Registers Act and the Patient Records Act. The Patient Data Act is applied by all care providers, both public and private.
The Patient Data Act is complementary to the General Data Protection Regulation
The General Data Protection Regulation is directly applicable as Swedish law. Care providers must thus apply the General Data Protection Regulation and the complementary Data Protection Act and Patient Data Act if they are compatible with the General Data Protection Regulation.
The Patient Data Act's relationship to the Criminal Data Act
The General Data Protection Regulation is not applicable to processing of personal data that is carried out with the purpose of preventing, investigating, detecting or prosecuting crimes or executing sentences. In processing of personal data for such a purpose within health and medical care it is not the Patient Data Act that applies but the upcoming Criminal Data Act. The Criminal Data Act is expected to come into force on 1 August 2018.
This means that in health and medical care operations that process personal data for the execution of sentences, different regulatory frameworks may be applicable depending on the purpose of the personal data processing. Within forensic psychiatric care, both the Patient Data Act and the Criminal Data Act for example may be applicable in decisions concerning both the forensic psychiatric care and coercive measures.
The Patient Data Act covers among other things:
- Care providers have the possibility to give the patient direct access, for example via the Internet, to the patient's care documentation and logs (that is to say historical access for the personal data processing).
- Electronic health records, which means that several care providers can give and be given direct access to each other's patient records if they satisfy the Patient Data Act's requirements.
- Inner secrecy – a provision that means that only a person who needs the information in his or her work in health and medical care may see patient data. This is made clear through the Patient Data Act requiring authorisation and access control.
- The patient has the right to block data both in the care provider's patient record system and for other care providers in the case of electronic health records.
The Patient Data Act is supplemented by the Patient Data Regulation (2008:360) and the National Board of Health and Welfare's regulations and general guidelines concerning patient records and processing of personal data within health and medical care (HSLF-FS 2016:40).
The patient has the right to be given access to his or her information
As a care provider you are the personal data controller for the processing of personal data that you perform. You are obliged to maintain a health record for each patient and personal data processing may be performed even if the patient objects to such processing. However, the patient has the right to see information in the patient's health record.
The patient's possibilities for direct access
A care provider has the possibility, but no obligation, to give the patient direct access to information about the individual him- or herself that can be disclosed to him or her and that is processed for the purpose of care documentation. In order for a patient to be given direct access to his or her patient data security measures must be in place in the form of technical solutions to be able to guarantee the identification of the person requesting the information.
The care provider is at the patient's request to provide information about access to the patient's data that has taken place. However, the patient only has the right to in this way be informed of what healthcare entity has had access to the patient's data and the information is to be presented in such a way that the patient can evaluate whether the access was justified or not. The care provider is obliged to provide the information on paper and may give the patient direct access to the information if the security requirements are met in the same way as in the case of the patient's access to his or her own health records.
Only authorised staff are allowed to see secret information
Inner secrecy means that it is only staff who are involved in the care and treatment of the patient or for some other reason need the information to do their work in health and medical care who are to be allowed to see the information relating to the patient. As a care provider you are responsible for ensuring that authorisation to access patient data is limited to what is needed for the care staff to be able to carryout their tasks in health and medical care. Inner secrecy is to be maintained by means of technical solutions for granting authorisation and access control.
Another care provider's access through electronic health records
Electronic health records allow a care provider to under certain conditions access personal data handled by other care providers for purposes relating to care documentation. Provisions concerning electronic health records can be found in Chapter 6 of the Patient Data Act.
Before a care provider makes the information accessible by means of electronic health records, the patient must be informed of what electronic health records involve, about the possibility to object to the information being made accessible to other care providers, and the care provider's obligation to then block the information.
For a care provider to be able to process information that another care provider has made accessible in the electronic health records system, the following must be fulfilled:
- the information concerns a patient for whom there exists a current patient relationship
- the information can be assumed to have importance as regards the prevention, investigation and treatment of diseases and injuries that the patient is suffering from within health and medical care, and
- the patient consents to it.
If these conditions are met, the user may access the information by making an active choice in the records system. This active choice confirms that the user has assessed that the conditions are met. A care provider who is granted access to information through the electronic health records system is the personal data controller with regard to the processing of personal data that is performed in the health and medical care activities and is responsible for ensuring that the information is handled in accordance with the provisions of the Patient Data Act.
The care provider is then responsible for ensuring that authorisation to access patient data is limited to what the care staff need to be able to carryout their tasks in health and medical care and for follow-ups of logs being made.
Only care providers may see personal data by means of electronic access
It is only a person who works for a care provider and who is involved in the care of the patient or for some other reason needs the information to do his or her work who is to be allowed to see the information about the patient. Other actors, for example the social services, can thus not see patient records by means of an electronic health records system.
The patient has the right to block information
If a patient so requests, all information in the care documentation must be blocked, meaning that other care providers do not have direct access to it. However, it is not possible to hide the information that there is blocked data and about what care provider blocked it.
The care provider who inserted the block must remove it if the patient so requests. If the patient cannot unblock the information and there is a danger to his or her life or other serious risk to the patient's health, the care provider who needs to see the blocked information relating to the patient can by making an active choice be given information as to what blocked information exists with other care providers. If information with other care providers can be assumed to be of importance for the care that the patient unavoidably needs, the care provider can remove the block through yet another active choice. It is only the care provider who inserted the block who can remove it and then only on the specific occasion and with regard to the information that is needed for the care that the patient unavoidably needs.
National and regional quality registers
In health and medical care there are quality registers that are used to develop and secure the quality of care systematically and on a continuous basis. The Patient Data Act contains provisions to the effect that the patient has the right to be given information about the registration, the right not to be registered in a quality register, and the right to subsequently be erased from the register.
Processing of genetic data in national quality registers
Information to authorities who are personal data controllers – and their employees – for central processing of personal data in national and regional quality registers under Chapter 7 of the Patient Data Act (2008:355).
Swedish Authority for Privacy Protection here describes its assessment of in which cases Swedish Authority for Privacy Protection's consent is needed for genetic data in quality registers.
Through the General Data Protection Regulation genetic data has been added to the category 'sensitive personal data' and is described as personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question (Article 4.13 of the General Data Protection Regulation).
Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test (Recital 35 of the General Data Protection Regulation).
Sensitive personal data in quality registers
Information on health may be processed in national and regional quality registers; other sensitive personal data may be processed in quality registers with the consent of Swedish Authority for Privacy Protection under Chapter 7 Section 8 Paragraph 3 of the Patient Data Act.
To be allowed to process genetic data in a quality register the main rule is that the consent of Swedish Authority for Privacy Protection is required. When genetic data is included in data on a person's health status, it is Swedish Authority for Privacy Protection's assessment that no special consent is required to be allowed to process this data. This means that a person who is the data processor for a quality register does not need to apply for consent from Swedish Authority for Privacy Protection to be allowed to process genetic data if that data also constitutes data on health.
The General Data Protection Regulation is an EU-wide regulatory framework that is to be applied and interpreted uniformly throughput the EU. Swedish Authority for Privacy Protection's interpretation may therefore be re-examined at a later date.
Swedish Authority for Privacy Protection supervises how care providers apply data protection regulations, which means that Swedish Authority for Privacy Protection can for example check that care providers take security measures to protect patient data. The Health and Social Care Inspectorate (IVO) is the supervisory authority for health and medical care.
If the information in other languages are different from the Swedish version, it is the Swedish version that applies.